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L STAITJSOFCXAlMS(37CF.R-§41.37(c)(l)(m)) 

A. TotalNumberof Claims in Application 

There aie 25 claims p^ing in the ^plication (claims 1, 3-15, and 17-27). 

B. Status of All the Ckdms 

Claims 1, 14^ and 15 are ind^jendent claims. According to pages 2-7 of the Final OfRce 
Action dated October 18, 2006 and according to pages 3-10 of the Examiner's Answer, which 
was nxailed on August 17, 2007, the Examiner states that claims 1,3-15, and 17-27 stand 
rejected, and are appealed. Claims 2 and 16 were canceled in the Amoxdment filed September 
12, 2006. 

C. Claims on Appeal 

There are 25 claims on appeal (claims 1, 3-15 and 17-27). 

IL GROUNDS OF REJECTION TO BE REVIEWED ON APPEAL (37 C.F.R § 
4137(c)(l)(vi)) 

Claims 1. 3-15 and 17-27 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
U.S. Patent Publication No. 2004/0049693 ("Douglas") in view of U.S. Patent No. 6,08l,S94 
C'Mann"). 

ffl. ARGUMENT (37 CJF.R.§4137(c)(lKvu)) 

Appellant respectfully appeals each of the rejections applied against all claims now 
pending on appeal. 

CLAIMS 1 and 3-13 ARE ALLOWABLE OVER DOUGLAS AND MANN 

Appellant respectfully traverses the rejection of claims 1 and 3-13 under 35 
U.S.C.§103(a) over U.S. Patent Publication No. 2004/0049693 ("Douglas") in view of U.S. 
Patent No. 6,081,894 ("Mann"), at page 3 of the Final Office Action and at pages 3-5 and 6-8 of 
the Examiner's Answer. The asserted combination of Douglas and Mann teaches away from 
indep^ident claim 1. 
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The Final Office Action (pp. 3-4) and the Exaniiner*s. Answer (p. 3) acknowledges that 
Douglas does not disclose or suggest ^ response to detecting the intrusion event, isolating the at 
least one nettvoxk interface fiom the computer network and taking the host computer system 
down to a single user state so tiiat access to the host computer system is Iknited to physical 
access at the host computer system," as recited by indepradent claim 1 . The Office asserts that 
Mann discloses Uns element See Final Office Action^ p. 4 and the Examiner 's Answer, p. 3 . 

The Examiner's Answer and the Final Office Action misconstrue the teachings of Mann* 
For example, citing Mann, the Examiner' $ Answer asserts that Mann discloses *'taking the host 
computer system down to a single user state, as recited in claim 1 - Sec Examiner's Answer, p, 3, 
citing Mann, col. 3, lines 2-5. However, the cited passage discloses a data isolator that is 
responsive to a data comparator to isolate a first data channel from a second data channel to 
prevent viruses ftom being received by a data receiving entity. See Manrk coL 3, lines 2-5. 
Mann does not teach *1aking the host computer system down to a single user state," as recited in 
claim 1 * lastead, Mann discloses that the operating state of the receivii^ data atity is not 
disrupted. Specifically, Mann discloses that a "further advantage of the invention is that it 
isolates the data sending entity from the data receiving entity witiiout disruptixxg normal 
operation of either entity." See Mann, col. 2, lines 30-32 (emphasis added). Thus, Mannfeils to 
disclose or suggest ^taking the host computer down to a single user state," as recited in claim 1 . 

Thus, the asserted combination of Douglas and Mann fails to disclose or suggest each and 
every element of claim 1, and of claims 3-13, at least by virtue of their dependency from 
allowable claim 1- 

CLAIMS 15 and 17-27 ARE ALLOWABLE OVER DOUGLAS AND MAJNN 

Appellant respectfully traverses the rejection of claims 15 and 17-27 under 35 
U,S.C.§ 103(a) over Douglas and Mann, at page 3 of the Final Office Action and at pages 3, 5-6 
of the Examiner's Answer. The Final Office Action {Final Office Action, pp. 3-4) and the 
Examiner's Answer (p. 3) acknowledges that Douglas does not disclose or suggest, 'in response 
to detecting an intrusion event, isolating at least one network interface ftom a computer network 
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and taking a host system down to a single user state so that access to the host computer system is 
limited to physical access at the host computer system,^* as recited by independent claim 15. 

Claim IS recites a system that includes "a host computer system having at least one 
network interface interfaced with a computer network," where the host computer system is to 
"operate in a multi-user mode," "detect an intrusion event using a system daemon,*" and *'m 
response to detecsting the intrusion event, isolate the at least one network interface firom the 
computer netwoik mi take the host computer systrai down to a single user state so that access to 
the host computer system is limited to physical access at the host oon^utCT system." 

Mann Mis to disclose or suggest **taking the host computer down to a siogle user state," 
as recited in claim 1 5. In direct contrast to claim 15, Mann discloses that a "jEuriher advantage of 
the invention is that it isolates the data sending entity ftom the data receiving entity without 
disruntmg normal Qpemlion of cither entity." See Mam, col. 2, lines 30-32 (emphasis added). 
Hence, Mann fails to disclose or suggest '^taking the host computer down to a single user state," 
as recited in claim 15- 

Thus, the ass^cd combination of Douglas and Mann Ms to disclose or suggest each and 
every element of claim 15, and of claims 17-27, at least by virtue of their dependency from 
allowable claim 15. For at least the foregoing reasons, the rejection of claims 15 and 17-27 over 
Douglas and Mann should be withdrawn. 

CLAIM 14 IS ALLOWABLE OVER DOUGLAS AND MANN 

Appellant respectfully traverses the rejection of claim 14 under 35 U.S.C § 103(a) over 
Douglas in view of Mann at pages 3 and 6 of the Final Office Action and at page 5 of the 
Bcaminer's Answer. None of the cited references, alone or in combination, recite the particular 
combination of independent claim 14. 

The Final OfiSce Action and the Examiner's Answer reject claim 14 over "Douglas and 
Mann as applied to claims 1-8 and 10." See Final Office Action, p. 6 and ^ee Examiner '5 
Answer, p. 5, However, both the Final Office Action and the Examiner's Answer fail to indicate 
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the pardculax bases for the rejection, and the Appellant is left to guess as to how the Office is 
inteipretmg the references to apply to the actual claun language. 

Appellant notes that claim 14 recites: 

A method comprising: 

providing a host computer system having at least one network interfeoe interfaced with a 

computer network 
operating the host computer system in a multi-user mode; 
executing a system daemon on the host computer system; 

reading, by the system daemon, a configuration file that indicates at least one file in a file 
system of the host computer system to be monitored for intrusion, wherein the 
configuration file comprises a first directive type that indicates a directory whose 
members are to be monitored for intrusion, a second directive type that indicates a 
file to be monitored for intrusion, and a third directive type that indicates another 
configuration file to be monitored for intrusion; 

reading a valid MD5 signatui^ for a monitored file fi:om a database that is located on a 
second compute system isolated physically and programmatically fit)m the host 
computer system; 

detecting an mtrusion event using the system daemon by detecting that an MD5 signature 

of the monitored file differs fix>m the valid MDS signature; and 
in response to detecting the intrusion event: 

issuing an IFCONFIG down command to the at least one network interface to isolate the 
at least one network interface from the computer network; 

issuing an INITl command to an operating system of the host computer system to take 
the host computer system down to a single user state; and 

writing a log of the intrusion event to a log database that is not located on the second 
computer system. 

The cited references, alone or in combination, do not disclose or suggest the particular 
combination of claim 14. For example, the asserted combination of Douglas and Mann fails to 
disclose or suggest a method that includes ''operating the host computer system in a multi-user 
mode" and, "in response to detecting the intrusion event,'* *4ssumg an INITl command to an 
operating system of the host computer system to take the host computer system down to a single 
user state," as recited in claim 14. As discussed above, Mann provides isolation *Svithout 
disrupting noraial operation of either entity" (i.e., without disrupting nomial operation of a dala 
sending entity or a data receiving entity). See Mann, coL 2, lines 30-32, Thus, Mann feils to 
teach or suggest issuing a command *to take the host computer system down to a single user 
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State/* as recited in claim 14. Accordingly, claim 14 is allowable over the asserted combination 
of Douglas and Mann. 

For at least the foregoing reasons. Appellant respectftilly submits that the present 
^plication is in condition for allowance and reconsideration is respectfully requested. 

RESPONSE TO EXAMINER'S ARGUMENT 

The Exaxmnex's Answer states that 'the combination of the personal computer and the 
Internet is viewed as a system communicating in a multi-user state." See Examiner 's Answer, p. 
7. Appellant notes that the Office cites, no siqjport for this intcip^ Rejections on 
obviousness cannot be sustained by mere conclusory statements; instead, there must be some 
articulated reasoning with some rational uiideipinafcog to support the legal conclusion of 
obviousness. See KSR Int'l Co. v. Teleflex Inc., citing In re Kahn, 441 F.3d 977, 988 (CA Fed. 
2006). However, the fectfinder must be aware of distortion caused by hindsight bias and must be 
cautious of arguments reliant upon ex post reasoning. See KSR Int'l Co. v. Teleflex Inc, , citing 
Oraham v, John Deere, 383 U.S., at 36. "Determination of obviousness cannot be based on the 
hindsight combination of components selectively culled 6om the prior art to fit the parameters of 
the patented invention." See ATD Corp, v. Lydall Inc., 159 F.3d 534, 48 USPQ2d 1321 (Fed. 
Cir. 1998); see also KSR Int'l Co. u Teleflex Inc., 383 U.S., at 36. 

The Examiner's Answer states **flie combination of the personal computer and die 
Internet is viewed as a system communicating in multi-user state. The isolation of the computer 
from the Internet results in the computer operating in a single user state." See Examiner *s 
An^er, p. 7. Appellant respectfully traverses the asserted interpretation. The asserted 
interpretation is unsupported by the cited references. Communications betw^ ^ fi>^st user at a ^ 
data sending entity and a second user at a data receiving entity does not implicate a user state of 
the data receiving entity. 

Additionally, the cited references do not disclose or suggest that a multi-user mode is 
required for a personal computer to communicate with the Internet. Mann makes no mention of 
a multi-user mode. The OfiTioe interprets Mann as disclosmg a multi-user mode by introducing a 
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system that includes the Internet (i.e., the data sending device) and the personal computer (i.e., 
the data receiving device), where *the combination of the personal computer and the Internet is 
viewed as a system communicating in a multi-user mode/' Se^ the Examiner *s Answer ^ p. 7. In 
contrast to Manna claim 1 recites: 

operating the host computer system in a multi-user mode; 
detecting an intrusion event using a system daemon; and 

in response to detecting the intrusion event, isolating the at least one networic interface 

from the computer network and taking the host computer system down to a single 
user state so that access to the host computer system is limited to physical access 
at the host computer system. 

According to the interpretation proposed by the Office, the system of Mann (i.e., the 
Intemet and the personal computer) corresponds to the host computer system of claim 1 , and the 
system of Mann operates in a multi-user mode by communicating. However, this interpretation 
faUs because the system of Mapn cannot perform the method of ^^taking the host computer 
system down to a single usar state,"* as recited in claim 1 - 

While the Office su^ests that "isolation of fee compute from the Intemet results in the 
computer opemtiEe in a single user state," the OflSce ignores the fact that its proposed system of 
Mann also includes the Internet, and the Office fails to explain how a system that includes tihe 
Intemet can be reduced to a single user state. It is improper for the Office to propose a system 
from the reference to esqplain one element of the claim and to disregard the proposed syartem in 
explaining a second element of the same claim. The ^stan proposed by fee Office fiails to 
disclose or suggest each and every element of claim 1 . 

Additionally, "determination of obviousness cannot be based on fee hindsight 
combination of components selectively culled from fee prior art to fit fee parameters of the 
patented invention." ATD Corp. v. Lydall, Inc, 159 FJd 534, 48 USPQ2d 1321 (Fed. Cir. 
1 998). In Mann, fee data sending device is separate from fee data receiving device. See Marm, 
col 2, line 61 to col. 3, line 5 and Figure 1 . Accordingly, it is improper to selectively cull Mann 
to combine fee separate elements for the purpose of explaining fee "multi-user mode," and feen 
ignore fee feet that Mann teaches isolating fee receiving device 'Svifeout disrupting normal . 
operatioiL" See Mann, col. 2, lines 30-32. If a user state of the data receiving device of Mann is 
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changed by disconnecting the device, as suggested by the OfiBce, then the advantage of Mann is 
undermined. Accordingly, ±c asserted combination does not teach or suggest ''taking the host 
computer system down to a single user srtate," as recited in claim 1. 

Further, the interpretation proposed by the OjBBce is technically inconsistent with the 
teachings of Mann. Mann &ils to disclose or suggest that an operating state of the data sending 
device or of the data receiving device is altered. Instead, Mann discloses that the devices are 
isolated '*withoul disrupting normal operation of either entity." See Mann^ col. 2, lines 30-32. In 
Mann, the state of the operating mode of the sending entity is not altered by the tennination of 
the connection to the Intemet See Mann, col. 2, lines 30-32. Instead, tide data isolator 
disconnects the data receiving entity from the data sending entity (Le., disconnects the personal 
computer from the Internet). See Mann^ col. 2, line 62 to col. 3» line 5. Thus, the connection 
between Ae data sending device and the datarcceivipg device is altered, but Mann fails to 
disclose or suggest that a user state of the data receiving device is altered. 

Additionally, in Mann,, the data isolator is disclosed as operating the same way whether 
the data receiving device is a personal computer or a local area network. When the data 
receiving entity is a Local Area Network (as suggested by Mann at col 2, line 64), the local area 
network is not indicated to be reduced to a single user state. Consistent with the teachings of 
Mann, the local area network can be isolated from the Intemet, but otherwise continues to 
operate without disruption to normal operatioa See Mann, coL 2, line 30-32- Accordingly, 
Mann fails to disclose or suggest altering a user state associated with either the sending data 
entity or the receiving data entity. 

The suggestion by the Office, at page 7 of the Examiner's Answer, that severing the 
communication between the Intemet and the personal computer **results in the compute: 
operating in a single user slate" is unsupported by the reference and should not be sustained. 
Communications between a first user at a data sending entity'and a second user at a data 
receiving entity does not implicate a user stale of the data receiving entity. 

Thus, for at least the foregoing reasons, the cited references, including Douglas and 
Mann, alone or in combination, feil to disclose or suggest each and eveiy element of the claims. 
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Accordingly, the rqection of clainis 1, 3-15 and 17-27 over Douglas and Mann is improper and 



should be ivithdiawn. 

IV. CONCLUSION 

For at least the above reasons, aU pending claims are allovvable and a notice of allowance 
is courteously solicited. Please direct any questions or comments to the undersigned attorney at 
the address indicated- Appellant respectfully requests reconsideration and allowance of all 
claims and respectfiilly requests liiat this patent application be advanced to issue. 



Respectfully submitted. 
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Attorney for Appllcant(s) 
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